Researchers disclosed a critical session isolation vulnerability in Writer, an enterprise AI platform, allowing attackers to gain unauthorized access to accounts across different organizations. The flaw, codenamed WriteOut, could enable outsiders to exploit a shared link to hijack a victim's session, potentially compromising sensitive data and control over accounts.
Security researchers have identified a critical vulnerability in Writer, an enterprise AI platform, which has been patched. The flaw, dubbed WriteOut, allows attackers to exploit session isolation measures and gain unauthorized access to other users' accounts.
The vulnerability can be triggered by an attacker creating a live preview link for an agent in their Writer account. When a logged-in user clicks the link, their session cookie is sent to the attacker, allowing the attacker to hijack the user's Writer account. This exposes sensitive data, including chats and documents.
The flaw raises concerns about tenant isolation protections within Writer, as it undermines the shared responsibility model intended to safeguard user data. An attacker could potentially gain administrative control, depending on the victim's role, amplifying the risk for enterprise environments.
The WriteOut vulnerability represents a significant security risk in the use of AI platforms, particularly in multi-tenant environments where isolation is crucial. Organizations utilizing Writer are urged to ensure they update their systems to mitigate the risk of such vulnerabilities.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Researchers disclosed a critical session isolation vulnerability in Writer, an enterprise AI platform, allowing attackers to gain unauthorized access to accounts across different organizations. The flaw, codenamed WriteOut, could enable outsiders to exploit a shared link to hijack a victim's session, potentially compromising sensitive data and control over accounts.